ARTICLE
12 March 2026

The Turkish DPA Published A Guideline On Agentic AI Systems

FE
Fidanci & Esin Partners

Contributor

Fidanci & Esin Partners logo
F&E Partners is a next-generation boutique law firm based in Istanbul, delivering full-spectrum legal solutions across diverse practice areas, including but not limited to dispute resolution, corporate, regulatory, and real estate matters. Combining international experience with meticulous local expertise, we offer agile, partner-led counsel and strategic insight to help clients thrive in a dynamic legal and business landscape.
Explore Firm Details
On 12 March 2026, the Turkish Personal Data Protection Authority (the "DPA") published its guideline titled "Agentic Artificial Intelligence" (the "Guideline").
Turkey Privacy
Şevval Bahar Esin and Kemal Fidanci
Your Author LinkedIn Connections
Şevval Bahar Esin’s articles from Fidanci & Esin Partners are most popular:
  • in Turkey
Fidanci & Esin Partners are most popular:
  • within Criminal Law, Insurance and Intellectual Property topic(s)

Recent Development

On 12 March 2026, the Turkish Personal Data Protection Authority (the "DPA") published its guideline titled "Agentic Artificial Intelligence" (the "Guideline"). The Guideline outlines what agentic artificial intelligence systems are, the functions of AI agents within these systems, their potential use cases, and the risks they may entail, and aims to set out the points that may need to be taken into consideration from a personal data protection perspective.

Although the Guideline is not binding, it constitutes an important reference source in terms of the DPA's expectations and assessment criteria in this field.

What Does the Guideline Cover?

What Are Agentic AI Systems?

The Guideline defines "Agentic AI" as systems composed of artificial intelligence agents that can act and interact with varying degrees of autonomy in order to achieve specific goals. Unlike traditional AI applications, these systems can perform multi-step tasks without requiring continuous human instruction and can coordinate actions by adapting to changing conditions. The Guideline further underlines that Agentic AI should not be understood as referring to a single type of technology, but rather as a design approach in which goal orientation, degree of autonomy and interaction with the environment come to the forefront.

Risks Related to the Protection of Personal Data

The main focus of the Guideline is how the structural characteristics of Agentic AI systems may be reflected in personal data processing activities. In this framework, the risks highlighted in the Guideline may be summarized as follows: the scope of data processing may expand in unforeseen ways due to the multi-step and distributed structure of such systems, making compliance with the principles of purpose limitation and data minimization more difficult; as the system progresses, newly emerging uses of data may cease to remain compatible with the legal grounds initially relied on for processing; data collected from different sources may be combined to create comprehensive profiles on individuals; the black-box nature of these systems may become even more pronounced in multi-agent structures, making it harder to ensure traceability of data processing activities and to establish an accountability framework; hallucinations in generative AI models may jeopardize the accuracy of personal data and cause errors to spread through multi-step workflows; and the expansion of the attack surface may increase the risk of disclosure of sensitive information through input manipulation.

Points to Be Considered

The Guideline recommends adopting a risk-based approach and highlights the following points:

  • Ensuring human-centric design and meaningful human oversight, and clearly defining in advance under which conditions and at which stages human intervention will come into play.
  • Systematically observing transparency and explainability, rendering interactions between system components traceable, and establishing control mechanisms that enable the early detection of undesired outcomes.
  • Clearly identifying the duties, powers and responsibilities of developers, deployers and other relevant actors, and adopting a cooperation-based approach that takes coordination into account.
  • Implementing the principles of privacy by design and privacy by default throughout the lifecycle of the systems.
  • Assessing, in a holistic manner, the risks that may arise from the functioning of Agentic AI systems by making use of tools such as data protection impact assessments.

Conclusion

Although the Guideline does not impose binding obligations, it sets out the DPA's assessment approach and expectations regarding Agentic AI systems. Organizations that use, or plan to use, such systems are advised to establish a data governance and risk assessment framework covering the use of Agentic AI, clarify the allocation of responsibilities among the actors involved in data processing activities, integrate human oversight mechanisms into the system as of the design stage, and inform their employees about the personal data processing dimension of these systems.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Şevval Bahar Esin
Şevval Bahar Esin
Photo of Kemal Fidanci
Kemal Fidanci
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More